xref: /freebsd/crypto/openssh/ssh.1 (revision 833a452e9f082a7982a31c21f0da437dbbe0a39d)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: ssh.1,v 1.427 2021/09/10 10:26:02 dtucker Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: September 10 2021 $
39.Dt SSH 1
40.Os
41.Sh NAME
42.Nm ssh
43.Nd OpenSSH remote login client
44.Sh SYNOPSIS
45.Nm ssh
46.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
47.Op Fl B Ar bind_interface
48.Op Fl b Ar bind_address
49.Op Fl c Ar cipher_spec
50.Op Fl D Oo Ar bind_address : Oc Ns Ar port
51.Op Fl E Ar log_file
52.Op Fl e Ar escape_char
53.Op Fl F Ar configfile
54.Op Fl I Ar pkcs11
55.Op Fl i Ar identity_file
56.Op Fl J Ar destination
57.Op Fl L Ar address
58.Op Fl l Ar login_name
59.Op Fl m Ar mac_spec
60.Op Fl O Ar ctl_cmd
61.Op Fl o Ar option
62.Op Fl p Ar port
63.Op Fl Q Ar query_option
64.Op Fl R Ar address
65.Op Fl S Ar ctl_path
66.Op Fl W Ar host : Ns Ar port
67.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
68.Ar destination
69.Op Ar command Op Ar argument ...
70.Sh DESCRIPTION
71.Nm
72(SSH client) is a program for logging into a remote machine and for
73executing commands on a remote machine.
74It is intended to provide secure encrypted communications between
75two untrusted hosts over an insecure network.
76X11 connections, arbitrary TCP ports and
77.Ux Ns -domain
78sockets can also be forwarded over the secure channel.
79.Pp
80.Nm
81connects and logs into the specified
82.Ar destination ,
83which may be specified as either
84.Sm off
85.Oo user @ Oc hostname
86.Sm on
87or a URI of the form
88.Sm off
89.No ssh:// Oo user @ Oc hostname Op : port .
90.Sm on
91The user must prove
92their identity to the remote machine using one of several methods
93(see below).
94.Pp
95If a
96.Ar command
97is specified,
98it will be executed on the remote host instead of a login shell.
99A complete command line may be specified as
100.Ar command ,
101or it may have additional arguments.
102If supplied, the arguments will be appended to the command, separated by
103spaces, before it is sent to the server to be executed.
104.Pp
105The options are as follows:
106.Pp
107.Bl -tag -width Ds -compact
108.It Fl 4
109Forces
110.Nm
111to use IPv4 addresses only.
112.Pp
113.It Fl 6
114Forces
115.Nm
116to use IPv6 addresses only.
117.Pp
118.It Fl A
119Enables forwarding of connections from an authentication agent such as
120.Xr ssh-agent 1 .
121This can also be specified on a per-host basis in a configuration file.
122.Pp
123Agent forwarding should be enabled with caution.
124Users with the ability to bypass file permissions on the remote host
125(for the agent's
126.Ux Ns -domain
127socket) can access the local agent through the forwarded connection.
128An attacker cannot obtain key material from the agent,
129however they can perform operations on the keys that enable them to
130authenticate using the identities loaded into the agent.
131A safer alternative may be to use a jump host
132(see
133.Fl J ) .
134.Pp
135.It Fl a
136Disables forwarding of the authentication agent connection.
137.Pp
138.It Fl B Ar bind_interface
139Bind to the address of
140.Ar bind_interface
141before attempting to connect to the destination host.
142This is only useful on systems with more than one address.
143.Pp
144.It Fl b Ar bind_address
145Use
146.Ar bind_address
147on the local machine as the source address
148of the connection.
149Only useful on systems with more than one address.
150.Pp
151.It Fl C
152Requests compression of all data (including stdin, stdout, stderr, and
153data for forwarded X11, TCP and
154.Ux Ns -domain
155connections).
156The compression algorithm is the same used by
157.Xr gzip 1 .
158Compression is desirable on modem lines and other
159slow connections, but will only slow down things on fast networks.
160The default value can be set on a host-by-host basis in the
161configuration files; see the
162.Cm Compression
163option.
164.Pp
165.It Fl c Ar cipher_spec
166Selects the cipher specification for encrypting the session.
167.Ar cipher_spec
168is a comma-separated list of ciphers
169listed in order of preference.
170See the
171.Cm Ciphers
172keyword in
173.Xr ssh_config 5
174for more information.
175.Pp
176.It Fl D Xo
177.Sm off
178.Oo Ar bind_address : Oc
179.Ar port
180.Sm on
181.Xc
182Specifies a local
183.Dq dynamic
184application-level port forwarding.
185This works by allocating a socket to listen to
186.Ar port
187on the local side, optionally bound to the specified
188.Ar bind_address .
189Whenever a connection is made to this port, the
190connection is forwarded over the secure channel, and the application
191protocol is then used to determine where to connect to from the
192remote machine.
193Currently the SOCKS4 and SOCKS5 protocols are supported, and
194.Nm
195will act as a SOCKS server.
196Only root can forward privileged ports.
197Dynamic port forwardings can also be specified in the configuration file.
198.Pp
199IPv6 addresses can be specified by enclosing the address in square brackets.
200Only the superuser can forward privileged ports.
201By default, the local port is bound in accordance with the
202.Cm GatewayPorts
203setting.
204However, an explicit
205.Ar bind_address
206may be used to bind the connection to a specific address.
207The
208.Ar bind_address
209of
210.Dq localhost
211indicates that the listening port be bound for local use only, while an
212empty address or
213.Sq *
214indicates that the port should be available from all interfaces.
215.Pp
216.It Fl E Ar log_file
217Append debug logs to
218.Ar log_file
219instead of standard error.
220.Pp
221.It Fl e Ar escape_char
222Sets the escape character for sessions with a pty (default:
223.Ql ~ ) .
224The escape character is only recognized at the beginning of a line.
225The escape character followed by a dot
226.Pq Ql \&.
227closes the connection;
228followed by control-Z suspends the connection;
229and followed by itself sends the escape character once.
230Setting the character to
231.Dq none
232disables any escapes and makes the session fully transparent.
233.Pp
234.It Fl F Ar configfile
235Specifies an alternative per-user configuration file.
236If a configuration file is given on the command line,
237the system-wide configuration file
238.Pq Pa /etc/ssh/ssh_config
239will be ignored.
240The default for the per-user configuration file is
241.Pa ~/.ssh/config .
242If set to
243.Dq none ,
244no configuration files will be read.
245.Pp
246.It Fl f
247Requests
248.Nm
249to go to background just before command execution.
250This is useful if
251.Nm
252is going to ask for passwords or passphrases, but the user
253wants it in the background.
254This implies
255.Fl n .
256The recommended way to start X11 programs at a remote site is with
257something like
258.Ic ssh -f host xterm .
259.Pp
260If the
261.Cm ExitOnForwardFailure
262configuration option is set to
263.Dq yes ,
264then a client started with
265.Fl f
266will wait for all remote port forwards to be successfully established
267before placing itself in the background.
268Refer to the description of
269.Cm ForkAfterAuthentication
270in
271.Xr ssh_config 5
272for details.
273.Pp
274.It Fl G
275Causes
276.Nm
277to print its configuration after evaluating
278.Cm Host
279and
280.Cm Match
281blocks and exit.
282.Pp
283.It Fl g
284Allows remote hosts to connect to local forwarded ports.
285If used on a multiplexed connection, then this option must be specified
286on the master process.
287.Pp
288.It Fl I Ar pkcs11
289Specify the PKCS#11 shared library
290.Nm
291should use to communicate with a PKCS#11 token providing keys for user
292authentication.
293.Pp
294.It Fl i Ar identity_file
295Selects a file from which the identity (private key) for
296public key authentication is read.
297You can also specify a public key file to use the corresponding
298private key that is loaded in
299.Xr ssh-agent 1
300when the private key file is not present locally.
301The default is
302.Pa ~/.ssh/id_dsa ,
303.Pa ~/.ssh/id_ecdsa ,
304.Pa ~/.ssh/id_ecdsa_sk ,
305.Pa ~/.ssh/id_ed25519 ,
306.Pa ~/.ssh/id_ed25519_sk
307and
308.Pa ~/.ssh/id_rsa .
309Identity files may also be specified on
310a per-host basis in the configuration file.
311It is possible to have multiple
312.Fl i
313options (and multiple identities specified in
314configuration files).
315If no certificates have been explicitly specified by the
316.Cm CertificateFile
317directive,
318.Nm
319will also try to load certificate information from the filename obtained
320by appending
321.Pa -cert.pub
322to identity filenames.
323.Pp
324.It Fl J Ar destination
325Connect to the target host by first making a
326.Nm
327connection to the jump host described by
328.Ar destination
329and then establishing a TCP forwarding to the ultimate destination from
330there.
331Multiple jump hops may be specified separated by comma characters.
332This is a shortcut to specify a
333.Cm ProxyJump
334configuration directive.
335Note that configuration directives supplied on the command-line generally
336apply to the destination host and not any specified jump hosts.
337Use
338.Pa ~/.ssh/config
339to specify configuration for jump hosts.
340.Pp
341.It Fl K
342Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
343credentials to the server.
344.Pp
345.It Fl k
346Disables forwarding (delegation) of GSSAPI credentials to the server.
347.Pp
348.It Fl L Xo
349.Sm off
350.Oo Ar bind_address : Oc
351.Ar port : host : hostport
352.Sm on
353.Xc
354.It Fl L Xo
355.Sm off
356.Oo Ar bind_address : Oc
357.Ar port : remote_socket
358.Sm on
359.Xc
360.It Fl L Xo
361.Sm off
362.Ar local_socket : host : hostport
363.Sm on
364.Xc
365.It Fl L Xo
366.Sm off
367.Ar local_socket : remote_socket
368.Sm on
369.Xc
370Specifies that connections to the given TCP port or Unix socket on the local
371(client) host are to be forwarded to the given host and port, or Unix socket,
372on the remote side.
373This works by allocating a socket to listen to either a TCP
374.Ar port
375on the local side, optionally bound to the specified
376.Ar bind_address ,
377or to a Unix socket.
378Whenever a connection is made to the local port or socket, the
379connection is forwarded over the secure channel, and a connection is
380made to either
381.Ar host
382port
383.Ar hostport ,
384or the Unix socket
385.Ar remote_socket ,
386from the remote machine.
387.Pp
388Port forwardings can also be specified in the configuration file.
389Only the superuser can forward privileged ports.
390IPv6 addresses can be specified by enclosing the address in square brackets.
391.Pp
392By default, the local port is bound in accordance with the
393.Cm GatewayPorts
394setting.
395However, an explicit
396.Ar bind_address
397may be used to bind the connection to a specific address.
398The
399.Ar bind_address
400of
401.Dq localhost
402indicates that the listening port be bound for local use only, while an
403empty address or
404.Sq *
405indicates that the port should be available from all interfaces.
406.Pp
407.It Fl l Ar login_name
408Specifies the user to log in as on the remote machine.
409This also may be specified on a per-host basis in the configuration file.
410.Pp
411.It Fl M
412Places the
413.Nm
414client into
415.Dq master
416mode for connection sharing.
417Multiple
418.Fl M
419options places
420.Nm
421into
422.Dq master
423mode but with confirmation required using
424.Xr ssh-askpass 1
425before each operation that changes the multiplexing state
426(e.g. opening a new session).
427Refer to the description of
428.Cm ControlMaster
429in
430.Xr ssh_config 5
431for details.
432.Pp
433.It Fl m Ar mac_spec
434A comma-separated list of MAC (message authentication code) algorithms,
435specified in order of preference.
436See the
437.Cm MACs
438keyword for more information.
439.Pp
440.It Fl N
441Do not execute a remote command.
442This is useful for just forwarding ports.
443Refer to the description of
444.Cm SessionType
445in
446.Xr ssh_config 5
447for details.
448.Pp
449.It Fl n
450Redirects stdin from
451.Pa /dev/null
452(actually, prevents reading from stdin).
453This must be used when
454.Nm
455is run in the background.
456A common trick is to use this to run X11 programs on a remote machine.
457For example,
458.Ic ssh -n shadows.cs.hut.fi emacs &
459will start an emacs on shadows.cs.hut.fi, and the X11
460connection will be automatically forwarded over an encrypted channel.
461The
462.Nm
463program will be put in the background.
464(This does not work if
465.Nm
466needs to ask for a password or passphrase; see also the
467.Fl f
468option.)
469Refer to the description of
470.Cm StdinNull
471in
472.Xr ssh_config 5
473for details.
474.Pp
475.It Fl O Ar ctl_cmd
476Control an active connection multiplexing master process.
477When the
478.Fl O
479option is specified, the
480.Ar ctl_cmd
481argument is interpreted and passed to the master process.
482Valid commands are:
483.Dq check
484(check that the master process is running),
485.Dq forward
486(request forwardings without command execution),
487.Dq cancel
488(cancel forwardings),
489.Dq exit
490(request the master to exit), and
491.Dq stop
492(request the master to stop accepting further multiplexing requests).
493.Pp
494.It Fl o Ar option
495Can be used to give options in the format used in the configuration file.
496This is useful for specifying options for which there is no separate
497command-line flag.
498For full details of the options listed below, and their possible values, see
499.Xr ssh_config 5 .
500.Pp
501.Bl -tag -width Ds -offset indent -compact
502.It AddKeysToAgent
503.It AddressFamily
504.It BatchMode
505.It BindAddress
506.It CanonicalDomains
507.It CanonicalizeFallbackLocal
508.It CanonicalizeHostname
509.It CanonicalizeMaxDots
510.It CanonicalizePermittedCNAMEs
511.It CASignatureAlgorithms
512.It CertificateFile
513.It CheckHostIP
514.It Ciphers
515.It ClearAllForwardings
516.It Compression
517.It ConnectionAttempts
518.It ConnectTimeout
519.It ControlMaster
520.It ControlPath
521.It ControlPersist
522.It DynamicForward
523.It EscapeChar
524.It ExitOnForwardFailure
525.It FingerprintHash
526.It ForkAfterAuthentication
527.It ForwardAgent
528.It ForwardX11
529.It ForwardX11Timeout
530.It ForwardX11Trusted
531.It GatewayPorts
532.It GlobalKnownHostsFile
533.It GSSAPIAuthentication
534.It GSSAPIDelegateCredentials
535.It HashKnownHosts
536.It Host
537.It HostbasedAcceptedAlgorithms
538.It HostbasedAuthentication
539.It HostKeyAlgorithms
540.It HostKeyAlias
541.It Hostname
542.It IdentitiesOnly
543.It IdentityAgent
544.It IdentityFile
545.It IPQoS
546.It KbdInteractiveAuthentication
547.It KbdInteractiveDevices
548.It KexAlgorithms
549.It KnownHostsCommand
550.It LocalCommand
551.It LocalForward
552.It LogLevel
553.It MACs
554.It Match
555.It NoHostAuthenticationForLocalhost
556.It NumberOfPasswordPrompts
557.It PasswordAuthentication
558.It PermitLocalCommand
559.It PermitRemoteOpen
560.It PKCS11Provider
561.It Port
562.It PreferredAuthentications
563.It ProxyCommand
564.It ProxyJump
565.It ProxyUseFdpass
566.It PubkeyAcceptedAlgorithms
567.It PubkeyAuthentication
568.It RekeyLimit
569.It RemoteCommand
570.It RemoteForward
571.It RequestTTY
572.It SendEnv
573.It ServerAliveInterval
574.It ServerAliveCountMax
575.It SessionType
576.It SetEnv
577.It StdinNull
578.It StreamLocalBindMask
579.It StreamLocalBindUnlink
580.It StrictHostKeyChecking
581.It TCPKeepAlive
582.It Tunnel
583.It TunnelDevice
584.It UpdateHostKeys
585.It User
586.It UserKnownHostsFile
587.It VerifyHostKeyDNS
588.It VersionAddendum
589.It VisualHostKey
590.It XAuthLocation
591.El
592.Pp
593.It Fl p Ar port
594Port to connect to on the remote host.
595This can be specified on a
596per-host basis in the configuration file.
597.Pp
598.It Fl Q Ar query_option
599Queries for the algorithms supported by one of the following features:
600.Ar cipher
601(supported symmetric ciphers),
602.Ar cipher-auth
603(supported symmetric ciphers that support authenticated encryption),
604.Ar help
605(supported query terms for use with the
606.Fl Q
607flag),
608.Ar mac
609(supported message integrity codes),
610.Ar kex
611(key exchange algorithms),
612.Ar key
613(key types),
614.Ar key-cert
615(certificate key types),
616.Ar key-plain
617(non-certificate key types),
618.Ar key-sig
619(all key types and signature algorithms),
620.Ar protocol-version
621(supported SSH protocol versions), and
622.Ar sig
623(supported signature algorithms).
624Alternatively, any keyword from
625.Xr ssh_config 5
626or
627.Xr sshd_config 5
628that takes an algorithm list may be used as an alias for the corresponding
629query_option.
630.Pp
631.It Fl q
632Quiet mode.
633Causes most warning and diagnostic messages to be suppressed.
634.Pp
635.It Fl R Xo
636.Sm off
637.Oo Ar bind_address : Oc
638.Ar port : host : hostport
639.Sm on
640.Xc
641.It Fl R Xo
642.Sm off
643.Oo Ar bind_address : Oc
644.Ar port : local_socket
645.Sm on
646.Xc
647.It Fl R Xo
648.Sm off
649.Ar remote_socket : host : hostport
650.Sm on
651.Xc
652.It Fl R Xo
653.Sm off
654.Ar remote_socket : local_socket
655.Sm on
656.Xc
657.It Fl R Xo
658.Sm off
659.Oo Ar bind_address : Oc
660.Ar port
661.Sm on
662.Xc
663Specifies that connections to the given TCP port or Unix socket on the remote
664(server) host are to be forwarded to the local side.
665.Pp
666This works by allocating a socket to listen to either a TCP
667.Ar port
668or to a Unix socket on the remote side.
669Whenever a connection is made to this port or Unix socket, the
670connection is forwarded over the secure channel, and a connection
671is made from the local machine to either an explicit destination specified by
672.Ar host
673port
674.Ar hostport ,
675or
676.Ar local_socket ,
677or, if no explicit destination was specified,
678.Nm
679will act as a SOCKS 4/5 proxy and forward connections to the destinations
680requested by the remote SOCKS client.
681.Pp
682Port forwardings can also be specified in the configuration file.
683Privileged ports can be forwarded only when
684logging in as root on the remote machine.
685IPv6 addresses can be specified by enclosing the address in square brackets.
686.Pp
687By default, TCP listening sockets on the server will be bound to the loopback
688interface only.
689This may be overridden by specifying a
690.Ar bind_address .
691An empty
692.Ar bind_address ,
693or the address
694.Ql * ,
695indicates that the remote socket should listen on all interfaces.
696Specifying a remote
697.Ar bind_address
698will only succeed if the server's
699.Cm GatewayPorts
700option is enabled (see
701.Xr sshd_config 5 ) .
702.Pp
703If the
704.Ar port
705argument is
706.Ql 0 ,
707the listen port will be dynamically allocated on the server and reported
708to the client at run time.
709When used together with
710.Ic -O forward
711the allocated port will be printed to the standard output.
712.Pp
713.It Fl S Ar ctl_path
714Specifies the location of a control socket for connection sharing,
715or the string
716.Dq none
717to disable connection sharing.
718Refer to the description of
719.Cm ControlPath
720and
721.Cm ControlMaster
722in
723.Xr ssh_config 5
724for details.
725.Pp
726.It Fl s
727May be used to request invocation of a subsystem on the remote system.
728Subsystems facilitate the use of SSH
729as a secure transport for other applications (e.g.\&
730.Xr sftp 1 ) .
731The subsystem is specified as the remote command.
732Refer to the description of
733.Cm SessionType
734in
735.Xr ssh_config 5
736for details.
737.Pp
738.It Fl T
739Disable pseudo-terminal allocation.
740.Pp
741.It Fl t
742Force pseudo-terminal allocation.
743This can be used to execute arbitrary
744screen-based programs on a remote machine, which can be very useful,
745e.g. when implementing menu services.
746Multiple
747.Fl t
748options force tty allocation, even if
749.Nm
750has no local tty.
751.Pp
752.It Fl V
753Display the version number and exit.
754.Pp
755.It Fl v
756Verbose mode.
757Causes
758.Nm
759to print debugging messages about its progress.
760This is helpful in
761debugging connection, authentication, and configuration problems.
762Multiple
763.Fl v
764options increase the verbosity.
765The maximum is 3.
766.Pp
767.It Fl W Ar host : Ns Ar port
768Requests that standard input and output on the client be forwarded to
769.Ar host
770on
771.Ar port
772over the secure channel.
773Implies
774.Fl N ,
775.Fl T ,
776.Cm ExitOnForwardFailure
777and
778.Cm ClearAllForwardings ,
779though these can be overridden in the configuration file or using
780.Fl o
781command line options.
782.Pp
783.It Fl w Xo
784.Ar local_tun Ns Op : Ns Ar remote_tun
785.Xc
786Requests
787tunnel
788device forwarding with the specified
789.Xr tun 4
790devices between the client
791.Pq Ar local_tun
792and the server
793.Pq Ar remote_tun .
794.Pp
795The devices may be specified by numerical ID or the keyword
796.Dq any ,
797which uses the next available tunnel device.
798If
799.Ar remote_tun
800is not specified, it defaults to
801.Dq any .
802See also the
803.Cm Tunnel
804and
805.Cm TunnelDevice
806directives in
807.Xr ssh_config 5 .
808.Pp
809If the
810.Cm Tunnel
811directive is unset, it will be set to the default tunnel mode, which is
812.Dq point-to-point .
813If a different
814.Cm Tunnel
815forwarding mode it desired, then it should be specified before
816.Fl w .
817.Pp
818.It Fl X
819Enables X11 forwarding.
820This can also be specified on a per-host basis in a configuration file.
821.Pp
822X11 forwarding should be enabled with caution.
823Users with the ability to bypass file permissions on the remote host
824(for the user's X authorization database)
825can access the local X11 display through the forwarded connection.
826An attacker may then be able to perform activities such as keystroke monitoring.
827.Pp
828For this reason, X11 forwarding is subjected to X11 SECURITY extension
829restrictions by default.
830Please refer to the
831.Nm
832.Fl Y
833option and the
834.Cm ForwardX11Trusted
835directive in
836.Xr ssh_config 5
837for more information.
838.Pp
839.It Fl x
840Disables X11 forwarding.
841.Pp
842.It Fl Y
843Enables trusted X11 forwarding.
844Trusted X11 forwardings are not subjected to the X11 SECURITY extension
845controls.
846.Pp
847.It Fl y
848Send log information using the
849.Xr syslog 3
850system module.
851By default this information is sent to stderr.
852.El
853.Pp
854.Nm
855may additionally obtain configuration data from
856a per-user configuration file and a system-wide configuration file.
857The file format and configuration options are described in
858.Xr ssh_config 5 .
859.Sh AUTHENTICATION
860The OpenSSH SSH client supports SSH protocol 2.
861.Pp
862The methods available for authentication are:
863GSSAPI-based authentication,
864host-based authentication,
865public key authentication,
866keyboard-interactive authentication,
867and password authentication.
868Authentication methods are tried in the order specified above,
869though
870.Cm PreferredAuthentications
871can be used to change the default order.
872.Pp
873Host-based authentication works as follows:
874If the machine the user logs in from is listed in
875.Pa /etc/hosts.equiv
876or
877.Pa /etc/shosts.equiv
878on the remote machine, the user is non-root and the user names are
879the same on both sides, or if the files
880.Pa ~/.rhosts
881or
882.Pa ~/.shosts
883exist in the user's home directory on the
884remote machine and contain a line containing the name of the client
885machine and the name of the user on that machine, the user is
886considered for login.
887Additionally, the server
888.Em must
889be able to verify the client's
890host key (see the description of
891.Pa /etc/ssh/ssh_known_hosts
892and
893.Pa ~/.ssh/known_hosts ,
894below)
895for login to be permitted.
896This authentication method closes security holes due to IP
897spoofing, DNS spoofing, and routing spoofing.
898[Note to the administrator:
899.Pa /etc/hosts.equiv ,
900.Pa ~/.rhosts ,
901and the rlogin/rsh protocol in general, are inherently insecure and should be
902disabled if security is desired.]
903.Pp
904Public key authentication works as follows:
905The scheme is based on public-key cryptography,
906using cryptosystems
907where encryption and decryption are done using separate keys,
908and it is unfeasible to derive the decryption key from the encryption key.
909The idea is that each user creates a public/private
910key pair for authentication purposes.
911The server knows the public key, and only the user knows the private key.
912.Nm
913implements public key authentication protocol automatically,
914using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
915The HISTORY section of
916.Xr ssl 8
917contains a brief discussion of the DSA and RSA algorithms.
918.Pp
919The file
920.Pa ~/.ssh/authorized_keys
921lists the public keys that are permitted for logging in.
922When the user logs in, the
923.Nm
924program tells the server which key pair it would like to use for
925authentication.
926The client proves that it has access to the private key
927and the server checks that the corresponding public key
928is authorized to accept the account.
929.Pp
930The server may inform the client of errors that prevented public key
931authentication from succeeding after authentication completes using a
932different method.
933These may be viewed by increasing the
934.Cm LogLevel
935to
936.Cm DEBUG
937or higher (e.g. by using the
938.Fl v
939flag).
940.Pp
941The user creates their key pair by running
942.Xr ssh-keygen 1 .
943This stores the private key in
944.Pa ~/.ssh/id_dsa
945(DSA),
946.Pa ~/.ssh/id_ecdsa
947(ECDSA),
948.Pa ~/.ssh/id_ecdsa_sk
949(authenticator-hosted ECDSA),
950.Pa ~/.ssh/id_ed25519
951(Ed25519),
952.Pa ~/.ssh/id_ed25519_sk
953(authenticator-hosted Ed25519),
954or
955.Pa ~/.ssh/id_rsa
956(RSA)
957and stores the public key in
958.Pa ~/.ssh/id_dsa.pub
959(DSA),
960.Pa ~/.ssh/id_ecdsa.pub
961(ECDSA),
962.Pa ~/.ssh/id_ecdsa_sk.pub
963(authenticator-hosted ECDSA),
964.Pa ~/.ssh/id_ed25519.pub
965(Ed25519),
966.Pa ~/.ssh/id_ed25519_sk.pub
967(authenticator-hosted Ed25519),
968or
969.Pa ~/.ssh/id_rsa.pub
970(RSA)
971in the user's home directory.
972The user should then copy the public key
973to
974.Pa ~/.ssh/authorized_keys
975in their home directory on the remote machine.
976The
977.Pa authorized_keys
978file corresponds to the conventional
979.Pa ~/.rhosts
980file, and has one key
981per line, though the lines can be very long.
982After this, the user can log in without giving the password.
983.Pp
984A variation on public key authentication
985is available in the form of certificate authentication:
986instead of a set of public/private keys,
987signed certificates are used.
988This has the advantage that a single trusted certification authority
989can be used in place of many public/private keys.
990See the CERTIFICATES section of
991.Xr ssh-keygen 1
992for more information.
993.Pp
994The most convenient way to use public key or certificate authentication
995may be with an authentication agent.
996See
997.Xr ssh-agent 1
998and (optionally) the
999.Cm AddKeysToAgent
1000directive in
1001.Xr ssh_config 5
1002for more information.
1003.Pp
1004Keyboard-interactive authentication works as follows:
1005The server sends an arbitrary
1006.Qq challenge
1007text and prompts for a response, possibly multiple times.
1008Examples of keyboard-interactive authentication include
1009.Bx
1010Authentication (see
1011.Xr login.conf 5 )
1012and PAM (some
1013.Pf non- Ox
1014systems).
1015.Pp
1016Finally, if other authentication methods fail,
1017.Nm
1018prompts the user for a password.
1019The password is sent to the remote
1020host for checking; however, since all communications are encrypted,
1021the password cannot be seen by someone listening on the network.
1022.Pp
1023.Nm
1024automatically maintains and checks a database containing
1025identification for all hosts it has ever been used with.
1026Host keys are stored in
1027.Pa ~/.ssh/known_hosts
1028in the user's home directory.
1029Additionally, the file
1030.Pa /etc/ssh/ssh_known_hosts
1031is automatically checked for known hosts.
1032Any new hosts are automatically added to the user's file.
1033If a host's identification ever changes,
1034.Nm
1035warns about this and disables password authentication to prevent
1036server spoofing or man-in-the-middle attacks,
1037which could otherwise be used to circumvent the encryption.
1038The
1039.Cm StrictHostKeyChecking
1040option can be used to control logins to machines whose
1041host key is not known or has changed.
1042.Pp
1043When the user's identity has been accepted by the server, the server
1044either executes the given command in a non-interactive session or,
1045if no command has been specified, logs into the machine and gives
1046the user a normal shell as an interactive session.
1047All communication with
1048the remote command or shell will be automatically encrypted.
1049.Pp
1050If an interactive session is requested
1051.Nm
1052by default will only request a pseudo-terminal (pty) for interactive
1053sessions when the client has one.
1054The flags
1055.Fl T
1056and
1057.Fl t
1058can be used to override this behaviour.
1059.Pp
1060If a pseudo-terminal has been allocated the
1061user may use the escape characters noted below.
1062.Pp
1063If no pseudo-terminal has been allocated,
1064the session is transparent and can be used to reliably transfer binary data.
1065On most systems, setting the escape character to
1066.Dq none
1067will also make the session transparent even if a tty is used.
1068.Pp
1069The session terminates when the command or shell on the remote
1070machine exits and all X11 and TCP connections have been closed.
1071.Sh ESCAPE CHARACTERS
1072When a pseudo-terminal has been requested,
1073.Nm
1074supports a number of functions through the use of an escape character.
1075.Pp
1076A single tilde character can be sent as
1077.Ic ~~
1078or by following the tilde by a character other than those described below.
1079The escape character must always follow a newline to be interpreted as
1080special.
1081The escape character can be changed in configuration files using the
1082.Cm EscapeChar
1083configuration directive or on the command line by the
1084.Fl e
1085option.
1086.Pp
1087The supported escapes (assuming the default
1088.Ql ~ )
1089are:
1090.Bl -tag -width Ds
1091.It Cm ~.
1092Disconnect.
1093.It Cm ~^Z
1094Background
1095.Nm .
1096.It Cm ~#
1097List forwarded connections.
1098.It Cm ~&
1099Background
1100.Nm
1101at logout when waiting for forwarded connection / X11 sessions to terminate.
1102.It Cm ~?
1103Display a list of escape characters.
1104.It Cm ~B
1105Send a BREAK to the remote system
1106(only useful if the peer supports it).
1107.It Cm ~C
1108Open command line.
1109Currently this allows the addition of port forwardings using the
1110.Fl L ,
1111.Fl R
1112and
1113.Fl D
1114options (see above).
1115It also allows the cancellation of existing port-forwardings
1116with
1117.Sm off
1118.Fl KL Oo Ar bind_address : Oc Ar port
1119.Sm on
1120for local,
1121.Sm off
1122.Fl KR Oo Ar bind_address : Oc Ar port
1123.Sm on
1124for remote and
1125.Sm off
1126.Fl KD Oo Ar bind_address : Oc Ar port
1127.Sm on
1128for dynamic port-forwardings.
1129.Ic !\& Ns Ar command
1130allows the user to execute a local command if the
1131.Ic PermitLocalCommand
1132option is enabled in
1133.Xr ssh_config 5 .
1134Basic help is available, using the
1135.Fl h
1136option.
1137.It Cm ~R
1138Request rekeying of the connection
1139(only useful if the peer supports it).
1140.It Cm ~V
1141Decrease the verbosity
1142.Pq Ic LogLevel
1143when errors are being written to stderr.
1144.It Cm ~v
1145Increase the verbosity
1146.Pq Ic LogLevel
1147when errors are being written to stderr.
1148.El
1149.Sh TCP FORWARDING
1150Forwarding of arbitrary TCP connections over a secure channel
1151can be specified either on the command line or in a configuration file.
1152One possible application of TCP forwarding is a secure connection to a
1153mail server; another is going through firewalls.
1154.Pp
1155In the example below, we look at encrypting communication for an IRC client,
1156even though the IRC server it connects to does not directly
1157support encrypted communication.
1158This works as follows:
1159the user connects to the remote host using
1160.Nm ,
1161specifying the ports to be used to forward the connection.
1162After that it is possible to start the program locally,
1163and
1164.Nm
1165will encrypt and forward the connection to the remote server.
1166.Pp
1167The following example tunnels an IRC session from the client
1168to an IRC server at
1169.Dq server.example.com ,
1170joining channel
1171.Dq #users ,
1172nickname
1173.Dq pinky ,
1174using the standard IRC port, 6667:
1175.Bd -literal -offset 4n
1176$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1177$ irc -c '#users' pinky IRC/127.0.0.1
1178.Ed
1179.Pp
1180The
1181.Fl f
1182option backgrounds
1183.Nm
1184and the remote command
1185.Dq sleep 10
1186is specified to allow an amount of time
1187(10 seconds, in the example)
1188to start the program which is going to use the tunnel.
1189If no connections are made within the time specified,
1190.Nm
1191will exit.
1192.Sh X11 FORWARDING
1193If the
1194.Cm ForwardX11
1195variable is set to
1196.Dq yes
1197(or see the description of the
1198.Fl X ,
1199.Fl x ,
1200and
1201.Fl Y
1202options above)
1203and the user is using X11 (the
1204.Ev DISPLAY
1205environment variable is set), the connection to the X11 display is
1206automatically forwarded to the remote side in such a way that any X11
1207programs started from the shell (or command) will go through the
1208encrypted channel, and the connection to the real X server will be made
1209from the local machine.
1210The user should not manually set
1211.Ev DISPLAY .
1212Forwarding of X11 connections can be
1213configured on the command line or in configuration files.
1214.Pp
1215The
1216.Ev DISPLAY
1217value set by
1218.Nm
1219will point to the server machine, but with a display number greater than zero.
1220This is normal, and happens because
1221.Nm
1222creates a
1223.Dq proxy
1224X server on the server machine for forwarding the
1225connections over the encrypted channel.
1226.Pp
1227.Nm
1228will also automatically set up Xauthority data on the server machine.
1229For this purpose, it will generate a random authorization cookie,
1230store it in Xauthority on the server, and verify that any forwarded
1231connections carry this cookie and replace it by the real cookie when
1232the connection is opened.
1233The real authentication cookie is never
1234sent to the server machine (and no cookies are sent in the plain).
1235.Pp
1236If the
1237.Cm ForwardAgent
1238variable is set to
1239.Dq yes
1240(or see the description of the
1241.Fl A
1242and
1243.Fl a
1244options above) and
1245the user is using an authentication agent, the connection to the agent
1246is automatically forwarded to the remote side.
1247.Sh VERIFYING HOST KEYS
1248When connecting to a server for the first time,
1249a fingerprint of the server's public key is presented to the user
1250(unless the option
1251.Cm StrictHostKeyChecking
1252has been disabled).
1253Fingerprints can be determined using
1254.Xr ssh-keygen 1 :
1255.Pp
1256.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1257.Pp
1258If the fingerprint is already known, it can be matched
1259and the key can be accepted or rejected.
1260If only legacy (MD5) fingerprints for the server are available, the
1261.Xr ssh-keygen 1
1262.Fl E
1263option may be used to downgrade the fingerprint algorithm to match.
1264.Pp
1265Because of the difficulty of comparing host keys
1266just by looking at fingerprint strings,
1267there is also support to compare host keys visually,
1268using
1269.Em random art .
1270By setting the
1271.Cm VisualHostKey
1272option to
1273.Dq yes ,
1274a small ASCII graphic gets displayed on every login to a server, no matter
1275if the session itself is interactive or not.
1276By learning the pattern a known server produces, a user can easily
1277find out that the host key has changed when a completely different pattern
1278is displayed.
1279Because these patterns are not unambiguous however, a pattern that looks
1280similar to the pattern remembered only gives a good probability that the
1281host key is the same, not guaranteed proof.
1282.Pp
1283To get a listing of the fingerprints along with their random art for
1284all known hosts, the following command line can be used:
1285.Pp
1286.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1287.Pp
1288If the fingerprint is unknown,
1289an alternative method of verification is available:
1290SSH fingerprints verified by DNS.
1291An additional resource record (RR),
1292SSHFP,
1293is added to a zonefile
1294and the connecting client is able to match the fingerprint
1295with that of the key presented.
1296.Pp
1297In this example, we are connecting a client to a server,
1298.Dq host.example.com .
1299The SSHFP resource records should first be added to the zonefile for
1300host.example.com:
1301.Bd -literal -offset indent
1302$ ssh-keygen -r host.example.com.
1303.Ed
1304.Pp
1305The output lines will have to be added to the zonefile.
1306To check that the zone is answering fingerprint queries:
1307.Pp
1308.Dl $ dig -t SSHFP host.example.com
1309.Pp
1310Finally the client connects:
1311.Bd -literal -offset indent
1312$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1313[...]
1314Matching host key fingerprint found in DNS.
1315Are you sure you want to continue connecting (yes/no)?
1316.Ed
1317.Pp
1318See the
1319.Cm VerifyHostKeyDNS
1320option in
1321.Xr ssh_config 5
1322for more information.
1323.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1324.Nm
1325contains support for Virtual Private Network (VPN) tunnelling
1326using the
1327.Xr tun 4
1328network pseudo-device,
1329allowing two networks to be joined securely.
1330The
1331.Xr sshd_config 5
1332configuration option
1333.Cm PermitTunnel
1334controls whether the server supports this,
1335and at what level (layer 2 or 3 traffic).
1336.Pp
1337The following example would connect client network 10.0.50.0/24
1338with remote network 10.0.99.0/24 using a point-to-point connection
1339from 10.1.1.1 to 10.1.1.2,
1340provided that the SSH server running on the gateway to the remote network,
1341at 192.168.1.15, allows it.
1342.Pp
1343On the client:
1344.Bd -literal -offset indent
1345# ssh -f -w 0:1 192.168.1.15 true
1346# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
1347# route add 10.0.99.0/24 10.1.1.2
1348.Ed
1349.Pp
1350On the server:
1351.Bd -literal -offset indent
1352# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
1353# route add 10.0.50.0/24 10.1.1.1
1354.Ed
1355.Pp
1356Client access may be more finely tuned via the
1357.Pa /root/.ssh/authorized_keys
1358file (see below) and the
1359.Cm PermitRootLogin
1360server option.
1361The following entry would permit connections on
1362.Xr tun 4
1363device 1 from user
1364.Dq jane
1365and on tun device 2 from user
1366.Dq john ,
1367if
1368.Cm PermitRootLogin
1369is set to
1370.Dq forced-commands-only :
1371.Bd -literal -offset 2n
1372tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1373tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1374.Ed
1375.Pp
1376Since an SSH-based setup entails a fair amount of overhead,
1377it may be more suited to temporary setups,
1378such as for wireless VPNs.
1379More permanent VPNs are better provided by tools such as
1380.Xr ipsecctl 8
1381and
1382.Xr isakmpd 8 .
1383.Sh ENVIRONMENT
1384.Nm
1385will normally set the following environment variables:
1386.Bl -tag -width "SSH_ORIGINAL_COMMAND"
1387.It Ev DISPLAY
1388The
1389.Ev DISPLAY
1390variable indicates the location of the X11 server.
1391It is automatically set by
1392.Nm
1393to point to a value of the form
1394.Dq hostname:n ,
1395where
1396.Dq hostname
1397indicates the host where the shell runs, and
1398.Sq n
1399is an integer \*(Ge 1.
1400.Nm
1401uses this special value to forward X11 connections over the secure
1402channel.
1403The user should normally not set
1404.Ev DISPLAY
1405explicitly, as that
1406will render the X11 connection insecure (and will require the user to
1407manually copy any required authorization cookies).
1408.It Ev HOME
1409Set to the path of the user's home directory.
1410.It Ev LOGNAME
1411Synonym for
1412.Ev USER ;
1413set for compatibility with systems that use this variable.
1414.It Ev MAIL
1415Set to the path of the user's mailbox.
1416.It Ev PATH
1417Set to the default
1418.Ev PATH ,
1419as specified when compiling
1420.Nm .
1421.It Ev SSH_ASKPASS
1422If
1423.Nm
1424needs a passphrase, it will read the passphrase from the current
1425terminal if it was run from a terminal.
1426If
1427.Nm
1428does not have a terminal associated with it but
1429.Ev DISPLAY
1430and
1431.Ev SSH_ASKPASS
1432are set, it will execute the program specified by
1433.Ev SSH_ASKPASS
1434and open an X11 window to read the passphrase.
1435This is particularly useful when calling
1436.Nm
1437from a
1438.Pa .xsession
1439or related script.
1440(Note that on some machines it
1441may be necessary to redirect the input from
1442.Pa /dev/null
1443to make this work.)
1444.It Ev SSH_ASKPASS_REQUIRE
1445Allows further control over the use of an askpass program.
1446If this variable is set to
1447.Dq never
1448then
1449.Nm
1450will never attempt to use one.
1451If it is set to
1452.Dq prefer ,
1453then
1454.Nm
1455will prefer to use the askpass program instead of the TTY when requesting
1456passwords.
1457Finally, if the variable is set to
1458.Dq force ,
1459then the askpass program will be used for all passphrase input regardless
1460of whether
1461.Ev DISPLAY
1462is set.
1463.It Ev SSH_AUTH_SOCK
1464Identifies the path of a
1465.Ux Ns -domain
1466socket used to communicate with the agent.
1467.It Ev SSH_CONNECTION
1468Identifies the client and server ends of the connection.
1469The variable contains
1470four space-separated values: client IP address, client port number,
1471server IP address, and server port number.
1472.It Ev SSH_ORIGINAL_COMMAND
1473This variable contains the original command line if a forced command
1474is executed.
1475It can be used to extract the original arguments.
1476.It Ev SSH_TTY
1477This is set to the name of the tty (path to the device) associated
1478with the current shell or command.
1479If the current session has no tty,
1480this variable is not set.
1481.It Ev SSH_TUNNEL
1482Optionally set by
1483.Xr sshd 8
1484to contain the interface names assigned if tunnel forwarding was
1485requested by the client.
1486.It Ev SSH_USER_AUTH
1487Optionally set by
1488.Xr sshd 8 ,
1489this variable may contain a pathname to a file that lists the authentication
1490methods successfully used when the session was established, including any
1491public keys that were used.
1492.It Ev TZ
1493This variable is set to indicate the present time zone if it
1494was set when the daemon was started (i.e. the daemon passes the value
1495on to new connections).
1496.It Ev USER
1497Set to the name of the user logging in.
1498.El
1499.Pp
1500Additionally,
1501.Nm
1502reads
1503.Pa ~/.ssh/environment ,
1504and adds lines of the format
1505.Dq VARNAME=value
1506to the environment if the file exists and users are allowed to
1507change their environment.
1508For more information, see the
1509.Cm PermitUserEnvironment
1510option in
1511.Xr sshd_config 5 .
1512.Sh FILES
1513.Bl -tag -width Ds -compact
1514.It Pa ~/.rhosts
1515This file is used for host-based authentication (see above).
1516On some machines this file may need to be
1517world-readable if the user's home directory is on an NFS partition,
1518because
1519.Xr sshd 8
1520reads it as root.
1521Additionally, this file must be owned by the user,
1522and must not have write permissions for anyone else.
1523The recommended
1524permission for most machines is read/write for the user, and not
1525accessible by others.
1526.Pp
1527.It Pa ~/.shosts
1528This file is used in exactly the same way as
1529.Pa .rhosts ,
1530but allows host-based authentication without permitting login with
1531rlogin/rsh.
1532.Pp
1533.It Pa ~/.ssh/
1534This directory is the default location for all user-specific configuration
1535and authentication information.
1536There is no general requirement to keep the entire contents of this directory
1537secret, but the recommended permissions are read/write/execute for the user,
1538and not accessible by others.
1539.Pp
1540.It Pa ~/.ssh/authorized_keys
1541Lists the public keys (DSA, ECDSA, Ed25519, RSA)
1542that can be used for logging in as this user.
1543The format of this file is described in the
1544.Xr sshd 8
1545manual page.
1546This file is not highly sensitive, but the recommended
1547permissions are read/write for the user, and not accessible by others.
1548.Pp
1549.It Pa ~/.ssh/config
1550This is the per-user configuration file.
1551The file format and configuration options are described in
1552.Xr ssh_config 5 .
1553Because of the potential for abuse, this file must have strict permissions:
1554read/write for the user, and not writable by others.
1555.Pp
1556.It Pa ~/.ssh/environment
1557Contains additional definitions for environment variables; see
1558.Sx ENVIRONMENT ,
1559above.
1560.Pp
1561.It Pa ~/.ssh/id_dsa
1562.It Pa ~/.ssh/id_ecdsa
1563.It Pa ~/.ssh/id_ecdsa_sk
1564.It Pa ~/.ssh/id_ed25519
1565.It Pa ~/.ssh/id_ed25519_sk
1566.It Pa ~/.ssh/id_rsa
1567Contains the private key for authentication.
1568These files
1569contain sensitive data and should be readable by the user but not
1570accessible by others (read/write/execute).
1571.Nm
1572will simply ignore a private key file if it is accessible by others.
1573It is possible to specify a passphrase when
1574generating the key which will be used to encrypt the
1575sensitive part of this file using AES-128.
1576.Pp
1577.It Pa ~/.ssh/id_dsa.pub
1578.It Pa ~/.ssh/id_ecdsa.pub
1579.It Pa ~/.ssh/id_ecdsa_sk.pub
1580.It Pa ~/.ssh/id_ed25519.pub
1581.It Pa ~/.ssh/id_ed25519_sk.pub
1582.It Pa ~/.ssh/id_rsa.pub
1583Contains the public key for authentication.
1584These files are not
1585sensitive and can (but need not) be readable by anyone.
1586.Pp
1587.It Pa ~/.ssh/known_hosts
1588Contains a list of host keys for all hosts the user has logged into
1589that are not already in the systemwide list of known host keys.
1590See
1591.Xr sshd 8
1592for further details of the format of this file.
1593.Pp
1594.It Pa ~/.ssh/rc
1595Commands in this file are executed by
1596.Nm
1597when the user logs in, just before the user's shell (or command) is
1598started.
1599See the
1600.Xr sshd 8
1601manual page for more information.
1602.Pp
1603.It Pa /etc/hosts.equiv
1604This file is for host-based authentication (see above).
1605It should only be writable by root.
1606.Pp
1607.It Pa /etc/shosts.equiv
1608This file is used in exactly the same way as
1609.Pa hosts.equiv ,
1610but allows host-based authentication without permitting login with
1611rlogin/rsh.
1612.Pp
1613.It Pa /etc/ssh/ssh_config
1614Systemwide configuration file.
1615The file format and configuration options are described in
1616.Xr ssh_config 5 .
1617.Pp
1618.It Pa /etc/ssh/ssh_host_key
1619.It Pa /etc/ssh/ssh_host_dsa_key
1620.It Pa /etc/ssh/ssh_host_ecdsa_key
1621.It Pa /etc/ssh/ssh_host_ed25519_key
1622.It Pa /etc/ssh/ssh_host_rsa_key
1623These files contain the private parts of the host keys
1624and are used for host-based authentication.
1625.Pp
1626.It Pa /etc/ssh/ssh_known_hosts
1627Systemwide list of known host keys.
1628This file should be prepared by the
1629system administrator to contain the public host keys of all machines in the
1630organization.
1631It should be world-readable.
1632See
1633.Xr sshd 8
1634for further details of the format of this file.
1635.Pp
1636.It Pa /etc/ssh/sshrc
1637Commands in this file are executed by
1638.Nm
1639when the user logs in, just before the user's shell (or command) is started.
1640See the
1641.Xr sshd 8
1642manual page for more information.
1643.El
1644.Sh EXIT STATUS
1645.Nm
1646exits with the exit status of the remote command or with 255
1647if an error occurred.
1648.Sh SEE ALSO
1649.Xr scp 1 ,
1650.Xr sftp 1 ,
1651.Xr ssh-add 1 ,
1652.Xr ssh-agent 1 ,
1653.Xr ssh-keygen 1 ,
1654.Xr ssh-keyscan 1 ,
1655.Xr tun 4 ,
1656.Xr ssh_config 5 ,
1657.Xr ssh-keysign 8 ,
1658.Xr sshd 8
1659.Sh STANDARDS
1660.Rs
1661.%A S. Lehtinen
1662.%A C. Lonvick
1663.%D January 2006
1664.%R RFC 4250
1665.%T The Secure Shell (SSH) Protocol Assigned Numbers
1666.Re
1667.Pp
1668.Rs
1669.%A T. Ylonen
1670.%A C. Lonvick
1671.%D January 2006
1672.%R RFC 4251
1673.%T The Secure Shell (SSH) Protocol Architecture
1674.Re
1675.Pp
1676.Rs
1677.%A T. Ylonen
1678.%A C. Lonvick
1679.%D January 2006
1680.%R RFC 4252
1681.%T The Secure Shell (SSH) Authentication Protocol
1682.Re
1683.Pp
1684.Rs
1685.%A T. Ylonen
1686.%A C. Lonvick
1687.%D January 2006
1688.%R RFC 4253
1689.%T The Secure Shell (SSH) Transport Layer Protocol
1690.Re
1691.Pp
1692.Rs
1693.%A T. Ylonen
1694.%A C. Lonvick
1695.%D January 2006
1696.%R RFC 4254
1697.%T The Secure Shell (SSH) Connection Protocol
1698.Re
1699.Pp
1700.Rs
1701.%A J. Schlyter
1702.%A W. Griffin
1703.%D January 2006
1704.%R RFC 4255
1705.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
1706.Re
1707.Pp
1708.Rs
1709.%A F. Cusack
1710.%A M. Forssen
1711.%D January 2006
1712.%R RFC 4256
1713.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
1714.Re
1715.Pp
1716.Rs
1717.%A J. Galbraith
1718.%A P. Remaker
1719.%D January 2006
1720.%R RFC 4335
1721.%T The Secure Shell (SSH) Session Channel Break Extension
1722.Re
1723.Pp
1724.Rs
1725.%A M. Bellare
1726.%A T. Kohno
1727.%A C. Namprempre
1728.%D January 2006
1729.%R RFC 4344
1730.%T The Secure Shell (SSH) Transport Layer Encryption Modes
1731.Re
1732.Pp
1733.Rs
1734.%A B. Harris
1735.%D January 2006
1736.%R RFC 4345
1737.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1738.Re
1739.Pp
1740.Rs
1741.%A M. Friedl
1742.%A N. Provos
1743.%A W. Simpson
1744.%D March 2006
1745.%R RFC 4419
1746.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
1747.Re
1748.Pp
1749.Rs
1750.%A J. Galbraith
1751.%A R. Thayer
1752.%D November 2006
1753.%R RFC 4716
1754.%T The Secure Shell (SSH) Public Key File Format
1755.Re
1756.Pp
1757.Rs
1758.%A D. Stebila
1759.%A J. Green
1760.%D December 2009
1761.%R RFC 5656
1762.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
1763.Re
1764.Pp
1765.Rs
1766.%A A. Perrig
1767.%A D. Song
1768.%D 1999
1769.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
1770.%T Hash Visualization: a New Technique to improve Real-World Security
1771.Re
1772.Sh AUTHORS
1773OpenSSH is a derivative of the original and free
1774ssh 1.2.12 release by Tatu Ylonen.
1775Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1776Theo de Raadt and Dug Song
1777removed many bugs, re-added newer features and
1778created OpenSSH.
1779Markus Friedl contributed the support for SSH
1780protocol versions 1.5 and 2.0.
1781